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Abstract. The number field sieve is asymptotically the fastest known integer 
factorisation algorithm. The algorithm begins with the selection of a pair of 
low-degree integer polynomials. The coefficient size of the chosen polynomi- 
als then plays a key role in determining the running time of the algorithm. 
Nonlinear polynomial selection algorithms approach the problem of construct- 
ing polynomials with small coefficients by employing a reduction to the well- 
studied problem of finding short vectors in lattices. The reduction rests upon 
the construction of modular geometric progressions with small terms. In this 
paper, tools are developed to aid in the analysis of nonlinear algorithms. Pre- 
cise criteria for the selection of geometric progressions are given. Existing 
nonlinear algorithms are extended and analysed. 



1. Introduction 

To factor an integer N, the number field sieve (NFS) [M] begins with the selection 
of low-degree coprime irreducible polynomials /i,/2 £ Z[x] with a common root 
modulo N. If Fi G Z[x,y] denotes the homogenisation of fi, for i — 1,2, then the 
time taken to factor N depends on the supply of coprime integer pairs (a, b) for 
which Fi(a,b) and F2{a,b) are smooth. Pairs with this property, called relations, 
are identified by sieving. The polynomials selection problem is concerned with 
determining a choice of polynomials that minimises the time taken by the sieve 
stage of the algorithm. 

The size of the values taken by the polynomials Fi and F2 is a key factor in 
determining the supply of relations (see [23l[2l])- Polynomial selection algorithms 
address this factor by seeking to generate polynomials with small coefficients. The 
efforts of research into this problem have been divided between two different ap- 
proaches: so-called linear and nonlinear algorithms. Linear algorithms were in- 
troduced during the development of the number field sieve [3] and subsequently 
improved by Montgomery and Murphy [24], and Kleinjung [11] [10]. They have 
been used in a string of record setting factorisations, culminating in the factorisa- 
tion of a 768-bit RSA modulus [12] • Polynomials are found by selecting nonzero 
integers ad, ni and p such that adrnf" = N (mod p). Then TV is represented in the 
form N — X^iLo o.iin^p'^'^, for integers oq, . . . , Ud-i- Each representation gives rise 
to a degree d polynomial /i = X]f=o ^^^^ ^ linear polynomial /2 — px~ m with 
common root mp~^ modulo N. 

Polynomials produced by linear algorithms experience an imbalance in the size 
of the values Fi{a, b) and -^2(0, b): for most pairs (a, 6) G Z^, the nonlinear polyno- 
mial produces values that are larger and thus less likely to be smooth. Nonlinear 
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algorithms address this problem by producing pairs of nonlinear polynomials with 
equal or almost equal degrees. Current methods for nonlinear polynomial selection 
rely on the construction of geometric progressions with small terms modulo N and 
techniques from the algorithmic geometry of numbers. The first example of a non- 
linear algorithm, Montgomery's two quadratics algorithm (reported in 18; Section 
5]), produces pairs of quadratic polynomials with provably optimal coefficient size. 
However, quadratic polynomial pairs are only competitive for the factorisation of 
integers containing at most 110-120 digits (see [231 Section 2.3.1]). Montgomery 
pn outlined a generalisation of the quadratic algorithm to arbitrary degrees. 
Constructing geometric progressions that meet the requirements of Montgomery's 
generalisation remains a largely open problem. 

Recent developments in geometric progression construction and relaxations of 
the requirements of Montgomery's approach have lead to a string of new nonlinear 
algorithms. This line of research begins with Williams' [33] algorithms for producing 
quadratic and cubic polynomial pairs. Refinements to Williams' algorithms and 
extensions to arbitrary degree were given by Prest and Zimmermann ^30J . Finally, 
Koo, Jo and Kwon [13] extended methods for constructing geometric progressions. 

In this paper, tools from the geometry of numbers are developed to aid in the 
analysis of nonlinear algorithms. The tools allow precise criteria for selecting geo- 
metric progressions to be given. A family of geometric progressions modulo N 
containing those used in existing algorithms is characterised. The characterisation 
enables minor extensions to existing nonlinear algorithms to be made. Parameter 
selection for the new algorithms is considered. Due to the work of Brent, Mont- 
gomery and Murphy [22l[23l[24], it is understood that an abundance of roots modulo 
small primes can significantly increase the yield of a number field sieve polynomial. 
This factor, called the root properties of a polynomial, is considered where possible. 

The remainder of the paper is organised as follows. In the next section, notation 
is establish and relevant background material provided. Particular attention is 
given to the methods used to measure coefficient size throughout this paper. These 
methods differ from the existing literature on nonlinear polynomial selection. Their 
motivation is therefore discussed in detail. In Section [3] nonlinear polynomial 
selection is reviewed. Section |4] and [5] contain new nonlinear generation algorithms. 

2. Preliminaries 

This section introduces notation, definitions, and preliminary results required 
for subsequent sections. 

2.1. Skewed coefRcient norms and the resultant bound. In this section, 
the coefficient norms used throughout this paper to measure coefficient size are 
introduced. Then a lower bound on the coefficient size of polynomial pairs with a 
common root modulo N is derived. Throughout, it is assume that a sieve is used 
to identify all relations contained in a region A of the form A = [—A, A] x [0,-B]. 
The actual form of the region depends on the method of sieving. Furthermore, it is 
known that a rectangular sieve region is not optimal in general |32| . The area 2AB 
of A is approximately determined by the size of the input N. Therefore, it will be 
assumed that the quantity V = \J AB is fixed. Then the region A is determined by 
the parameter s = A/B called the skew of the region: A = "Dy/s and B ~ V / ^/s. 
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2.1.1. Skewed coefficient norms. Given two polynomials /i and /2, the size of the 
values taken by the respective homogenisations Fi and F2 over the sieve region A 
can be roughly quantified by the integral 

\Fi{x,y)F2{x,y) \ dxdy. 

Using Holder's inequality to bound this integral suggests that the size properties of 
a degree d polynomial / can be quantified by the integral 

sx \ [ y 
y I \\/s. 



/ F{x,yfdxdy= / / 

JA Jo J -V 



f 




dxdy. 



Montgomery and Murphy consider a similar quantity in their linear algorithm |24[ 
Procedure 5.1.6]. The integrand on the right motivates the following choice of norm: 

Definition 2.1. Let / = X^iLo*^*^' ^ K[a;] be a degree d polynomial. For a given 
skew s > 0, the skewed 2 -norm of / is defined to be 



Il/ll2..= 



The case s = 1 corresponds to the 2-norm of /, simply denoted ||/||2- 

An (X)-norm analogue of the skewed 2-norm, called the sup-norm, appears in 




[11| . A skew of a polynomial / is any value s > for which 



is minimal. 



2.1.2. The resultant bound. For nonzero coprime polynomials /i,/2 G 1i[x] with a 
common root modulo N , the resultant bound provides a lower bound on the 2-norms 
of /i and /2: 



(2.1) 



^<ll/l|l2'''^'' 



/2II2 



The 2-norm may greatly over estimate the coefficient size of polynomials with large 
skew. To provide tighter bounds, a generalisation of inequality (12.11) is now derived 
for the skewed 2-norm. To begin, the definition and some properties of the resultant 
of two polynomials must first be introduced. 

Let / = X]t=o ^^'^ 9 ~ Sr=o non-constant polynomials with complex 

coefficients and a„nhn ^ 0. The Sylvester matrix of / and g, denoted Syl(/, g), is 
the (m -|- n) X (m + n) matrix 



Syl(/,.g) = 



am-1 



bn 



bo 



ao 



ao 



bn~ 



\ bn bn-1 bo / 

where there are n rows containing the a^, m rows containing the hi, and all empty 
entries are 0. The resultant of / and denoted Res(/, g), is equal to the determi- 
nant of the Sylvester matrix Syl(/, g). For the purpose of generalising the resultant 
bound, the following well-known properties of resultants are required: 
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• If ai, . . . , am G C are the roots of / and . . . , /3„ G C the roots of then 

Res(/,g) = a;^6™n("«-/3j)- 

• If f,g e Z[x], then Res(/, 5) belongs to the ideal (/, 5) n Z. 

Proofs of these two properties can be found in 7, Section 1.3.2]. The two prop- 
erties imply that coprime non-constant polynomials /i,/2 G Z[a;] with a common 
root modulo N must satisfy N < |Res(/i, /2)|. The resultant bound (|2.ip is then 
obtained by applying Hadamard's inequality (see |3H Section 1.3]) to bound the 
absolute value of det Syl(/i, /2). The following lemma generalises the upper bound 
obtained from Hadamard's inequality. 

Lemma 2.2. Let f = X]fc=o ^^^^ '^'^'^ 9 ~ "^7=0 non-constant polynomials 

with complex coefficients and a,m bn 7^ 0. Then 

|Res(/,5)|<||/|lL-|l5ll"., 

for all s > 0. 

Proof. Let ai, . . . , am be the roots of / and . . . , /3„ the roots of g. For s > 0, 
Res(/,g) = <6™n("^ = K^^)" (^nS^)"!] 

= Res [s^^ f{sx), s^^ g{sx)) . 

Hence, 

|Res(/,.g)| < • = 11/11^',, • llffl!^':, , 

where the inequality is obtained by applying Hadamard's inequality. □ 

Corollary 2.3. Let /i, /2 G 1j[x] be non-constant coprime polynomials with a com- 
mon root modulo N . Then 

N<mt!^'-\\h\\t:!'\ 

for all s > 0. 

The complexity of the number field sieve is largely determined by the size of N 
and the degree sum deg /i -|-deg /2 of the polynomials used ^ Section 1 1] . For values 
of N within the current range of interest, the optimal choice of degree sum remains 
small (see [211 Section 3.1] for a relevant discussion). For example, the factorisation 
of a 768-bit RSA modulus by Kleinjung et al. [H] and the special number field 
sieve [H] factorisation of 2^*''^^ — 1 by Aoki et al. [2] both used polynomial pairs 
with a degree sum of 7. Corollary 12.31 shows that the restriction to small degree 
sum implies that a pair of number field sieve polynomials will necessarily have 
large coefficients. For large N without special form, the problem of determining 
polynomials that meet the lower bound in Corollary 12.31 remains open. 

2.1.3. A note on measuring coefficient size. The resultant of two coprime polyno- 
mials /i, /2 G Z[a;] is a homogeneous polynomial of degree deg/i -I- deg/2 in their 
coefficients. As a result, some authors consider a pair of number field sieve poly- 
nomials /i,/2 G Z[a;] to have optimal coefficient size whenever Res(/i,/2) = ±iV. 
However, the resultant only provides a lower bound on the coefficient size. There- 
fore, on its own, the resultant of two polynomials does not serve as an accurate 
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measure of coefficient size. Tliis is demonstrated by the following lemma which 
proves the existence of integer polynomial pairs with arbitrary large coefficients 
and resultant equal to ±iV. 

Lemma 2.4. Let X,s > 0. For integers N and d> 2 with N > f .5(d/ log 2)'', 
there exist degree d polynomials /i,/2 G such that Res(/i,/2) = ±A^ and 

||/,||2, >X, /or z = f, 2. 

Proof. Let m — [A^^/'^J and write N in base-m: 

N = Udm'^ + Od-im'^^^ + . . . + aim + oq, 

where the coefficients oq, . . . , G [0, m) n Z. Then a^, = I since N > 1.5{d/ log2)'* 
[6l Exercise 6.8]. Define polynomials 

d 

fi{x) ^ ci ■ {x - m) + ^aix' and /2 (x) = ca • /i (x) + (a; - m) , 

where ci,C2 G Z, C2 ^ 0, are chosen sufficiently large to ensure ||/i|j2s > X, for 
i = 1,2. Then /i and /a are degree d integer polynomials with /i(m) — N. Finally, 
by subtracting C2 times row i of Syl(/i, /2) from row d + i, for f < i < d, it follows 
that 

R-es(/i, /a) = Res(/i(a;), C2 • fi{x) + {x - m)) = a^"^ • Res(/i(a;), x-m)= ±fi{m). 

□ 

Throughout this paper, the coefhcient size of a pair of number field sieve poly- 
nomials /i and /2 will be measured by their product of coefficient norms II/1II2 ^ ' 
II/2II2 fn the case that both polynomials are of degree d, CoroUarv 12.31 implies 
that the product is bounded below by N^^'^. The choice is further motivated by 
the observation that the polynomial values Fi (a, 6)^2(0, 6), with (a, 5) & Ar\ 1? , 
satisfy 

|i^i(a,&)i^2(a,6)| = |Res(/i(a;),6a;-a)| • |Res(/2(x), 6x - a)| 

<II/I|l2,.-Il/2|I2,-Il^--«II2:?'^^"^''^- 

Thus a choice of number field sieve polynomials with II/1II2 ^ • II/2II2 s small should 
yield more relations compared to another pair with equal degree sum and a larger 
product of coefficient norms. 

2.2. Lattices in M". Throughout this paper, results and algorithms from the ge- 
ometry of numbers are extensively used. Here necessary background on lattices and 
lattice algorithms is reviewed. The reader is referred to [SJ [T51 [T71 [28j for further 
background on the concepts discuss in this section. 

A lattice in R" is a subgroup A of M" with the following property: there exists 
R-linear independent vectors bi, . . . ,bk G M" such that A = X^iLi ^^i- The vectors 
hi, ... ,bk are said to form a basis for A, denoted throughout by a fc-tuple B = 
(bi, . . . , bfe); and k is called the dimension or rank of A. When written with respect 
to the canonical orthonormal basis of R", if bj = . . . , fei,n), for 1 <i <k, then 
the k X n matrix B = (bi,j)i<i<k,i<j<n is called a basis matrix for A. The Gram 
matrix of B is the k x k symmetric matrix . Let Bi and B2 be bases for A with 
respective basis matrices Bi and B2 . Then there exists a matrix U G GL^ (Z) such 
that UBi — B2. Thus the Gram matrix of B2 is Q2 — C/QiC/*, where Qi is the 
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Gram matrix of Bi. Therefore, the determinant of the Gram matrix is independent 
of the choice of basis. The determinant of A is defined to be det A = i/det Q, where 
Q is the Gram matrix of one of its bases. 

The sublattices of a lattice are its subgroups. A sublattice A' of a lattice A is 
called full-rank whenever dim A' = dim A. This occurs if and only if [A : A'] is 
finite. In this case, the determinant of A' is related to the determinant of A by 
det A' = [A : A'] • det A. Let {x,y) i-^x y denote the usual inner product on R". 
The dual lattice of A is 

A"" = {a; e span(A) | Vy G A, {x,y) e Z}. 

For any basis B of A, the dual basis B^ for span(A) is a basis for A^. A lattice 
with A^ = A is called unimodular. The lattice Z" is unimodular. 

Let II.II2 be the norm on R" induced by ( , ). For a fc-dimensional lattice A 
and all 1 < i < ^, the ith minimum Ai(A) of A is defined to be the minimum 
of maxi<j<i ||t;j||2 over all linearly independent lattice vectors Vi,...,Vi G A. 
Minkowski's second theorem (see [28l Theorem 5 p. 35]) provides an upper bound 
on the geometric mean of consecutive minima: if A is a /c-dimensional lattice and 
t an integer satisfying 1 <t <k, then 

(ri^'(^)) <V7^det(A)i, 

where 7fc < 1 + fc/4 denotes Hermite's constant (see [SSI p. 33]). 

Algorithms for lattice reduction aim to produce bases consisting of short vectors. 
The most widely used reduction algorithm, due to Lenstra, Lenstra and Lovas |16) , 
is the LLL algorithm. Given a basis for a lattice A C Z", the LLL algorithm 
produces an LLL-reduccd basis for A in polynomial time. 

Definition 2.5. Let A C K" be a fc-dimensional lattice and B — {bi, . . . , bk) one of 
its bases. Let (b^, . . . , 6^) be the Gram-Schmidt orthogonalisation of B and define 
Hij = {bi , b*) / {b* , b*) , for 1 < j < i < fe. Then B is LLL-reduced with factor 
5 € (1/4, 1], if and only if the following conditions hold: 

(1) IMjj I < 1/2, for 1 < j < i < fc; and 

(2) +Ai.+i..b*||2 >S\\b*\\l for 1 < z < A:. 

For simplicity, it is assumed throughout this paper that LLL-reduced means LLL- 
reduced with factor S — 3/A. Accordingly, the following properties of LLL-reduced 
bases hold: 

Theorem 2.6. Let (61, . . . ,bk) be an LLL-reduced basis of a k- dimensional lattice 
A C K". Then 

(1) II61II2 < 2('=~i)/4detAi/'=. 

(2) ||bi||2 < 2('=-i)/2Ai(A), forl<i<k. 

(3) //AC Z", then WbiW^ < 23rfeFTT det A^^^, forl<i<k. 

Proofs of the first two properties occur in [16] . The third property is due to May 
[I9l Theorem 4]. 

Given a basis (bi, . . . , bk) of a fc-dimensional lattice A C Z", with max^ ||bi|j2 < 
M, the LLL algorithm returns an LLL-reduced basis in time O(fc^nlog'^M) with 
arithmetic operations performed on integers of bit-length 0{k log M). For instances 
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where logAf is large, it is preferable to use a floating point variant of the LLL 
algorithm such as the algorithm [27l [26] . The algorithm returns an LLL- 
reduced basis in time 0(k*n{k + log M) log M) and requires a precision of (log2 3) • k 
bits thus giving an improved overall complexity and requiring precision independent 
of logM. 



Nonlinear polynomial generation algorithms are based on the observation that 
polynomials with bounded degree and a prescribed root modulo N can be char- 
acterised by orthogonality conditions on their coefficient vectors modulo N. As a 
trivial example, an integer polynomial / — X]f=o '^^ degree at most d has m as 
a root modulo N if and only if the coefficient vector (oq, . . . , a^) is orthogonal to 
(1, m, . . . , m'^) modulo N. The set of all such coefhcient vectors, denoted through- 
out by L^ ij, forms a lattice in 'Z'^'^^ [31 Section 12.2]. Nonlinear algorithms employ 
lattice reduction to search for short vectors in sublattices of L„i d- Bounds such as 
those in Theorem 12.61 suggest this approach will be most successful for sublattices 
with small determinants. 

Using an approach introduced by Montgomery (see [3 Section 5] and [24l Section 
2.3.1]), and since applied by several authors [21] |20l [34l [3Ql [T3j , nonlinear algorithms 
construct sublattices of L^^d with small determinants from "small" geometric pro- 
gressions modulo N . Formally, a geometric progression (GP) of length I and ratio r 
modulo N, denoted throughout by a vector [cq, . . . , Q_i] , is an integer sequence with 
the property that Ci = cor* (mod N), for < i < I. Central to the construction of 
lattices for nonlinear algorithms is the observation that 



for any length d + 1 GP [cq, . . . , Cd] with ratio m modulo N , nonzero terms and 
gcd(co, iV) — 1. Given such a GP, nonlinear algorithms consider sublattices of Lm,d 
contained in the Q- vector space orthogonal to [cq, . . . , Cd]- The role of N in the 
definition of the sublattices is therefore made implicit, resulting in determinants 
that depend on the terms of the GP and not on N itself. Roughly speaking, a 
GP with terms that are small when compared to N is then expected to lead to a 
sublattice of Lm,d with small determinant. More generally, lattices contained in the 
Q-vector space orthogonal to multiple linearly independent geometric progressions 
are considered. 

There are two main problems that immediately arise from this approach: firstly, 
establishing a relationship between the size of terms in the geometric progressions 
and the determinant of the resulting lattices; and secondly, constructing geometric 
progressions with small terms. In the next section, tools are developed to address 
the first problem. There the object of study is the orthogonal lattice. A detailed 
description of nonlinear algorithms is given in Section 13.21 Based on the results of 
Section 13. 1[ criteria for the selection of geometric progressions are also given. In 
Section [3.3) existing solutions to the second problem are reviewed. 

Throughout this paper, big-O estimates may have implied constants depending 
on the degree parameter d. 



3. Nonlinear polynomial selection 




OiCi = mod N 
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3.1. The orthogonal lattice. Let A be a lattice in Z" and denote by £'a the 
unique Q- vector subspace of Q" that is generated by any of its bases. The dimension 
of _Ea over Q is equal to the dimension of A. Let Ej[ be the orthogonal complement 
of Ea with respect to ( , ). The orthogonal lattice of A is defined to be A"*" — 
Z"ni?^. The intersection Z"ni?A forms a lattice in E\ (see |T8l Proposition 1.1.3]), 
which shall be denoted throughout by A. Clearly, A contains A as a sublattice, thus 
dim A = dim A. Proposition 1.3.4 in [18] implies that dim A^ — dimE^ if and only 
if the dimension of (Z")'* n Ej^-^ is equal to dimi?A. This clearly holds since 
A = (Z")^ n Hence, dim A + dim A^ = n. Nguyen and Stern Theorem 

1] showed that the determinants of A and A^ are related as follows: 

detA= [A: A] -detA^. 

Therefore, det A^ < det A with equality if and only if A A. A lattice A C Z" for 
which equality holds is called primitive. Let i? be a basis matrix for a fc-dimensional 
lattice A C Z". Then A is primitive if and only if the greatest common divisor of all 
k X k minors of B is 1 (see pT] Corollary 4.1c]). The following lemma determines 
the index [A : A] in general. 

Lemma 3.1. Let A C Z" 6e a k- dimensional lattice and B one of its basis matrices. 
Let ri denote the greatest common divisor of all k x k minors of B. Then [A : A] = 

n. 

Proof. Let B denote a basis matrix for A. The lattice A is a full-rank sublattice 
of A, thus there exists a. k x k integer matrix U with | det U\ = [A : A] such that 
B = U ■ B. Hence, the lemma will follow by showing that fl = \ det U\. 

For indices 1 < ii < . . . < i/c < n, let Bi-^^,,,^i^ (resp. Bi^^,,,^i^) denote the k x k 
submatrix of i? (resp. i?) formed by columns ii, ifc. Then = J7--Bii,....ifc, 

for all 1 < ii < . . . < ifc < n. Therefore, Vl = \ det U\ ■ fi, where SI is the greatest 
common divisor of all fc x fc minors of B. However, = 1 as the lattice A is 
primitive. □ 

3.1.1. The determinant under transformation. For a fc-dimensional lattice A C Z" 
and S e GL„(R), define A5 = {a: • S* | a; G A}. Given a basis (bi, . . . ,bk) of A, 
define {bi, . . . ,bk)s = {biS, . . . ,bkS). Then A5 is a fc-dimensional lattice in R" 
with basis (bi, . . . , bk)s. 

Lemma 3.2. Let A be a lattice in Z" and S G GL„(M). Then 

det A^ = IdetS"! • det Ag-*, 
where S^* — (S^^Y denotes the inverse transpose of S . 

Proof. Fix a basis (61, . . . , bk) for A. The lattice A is primitive, thus (61, . . . , bk) 
can be extended to a basis (bi, . . . , b„) for Z" |4i Lemma 2, Chapter 1]. Since Z" 
is unimodular, the dual basis (bf , . ..,b^^) for R" forms a basis for Z". The dual 
basis is characterised by the equalities (bf^bj) — Si,j, where Si,j is the Kronecker 
delta. Therefore, {b^^^, . . . , b,^) forms a basis for the orthogonal lattice A-'-. Hence, 
(bi; . . . , bn)s-t forms a basis for Zg_j, (bi, . . . , bk)s-t forms a basis for As-t and 
{bk+i, . . . ,b!^)s forms a basis for A^ . 
For all I < i, j < n, 

{b^s,b,s-') = bfss-'b/ = (br,b,) = J.,,. 
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Thus (bf , . . . ,b^)s is a dual basis of (61 , . . . , 6,1)5-* • Therefore, by applying [181 
Corollary 1.3.5] with E — M" and F equal to the subspace of M" generated by 
(bi, . . . ,bk)s-t, it follows that 



|det ST^ =detZ5-* = det (Ag-t) • det (A^) \ 



□ 



Given a basis for a lattice A C Z" and a diagonal matrix S G GL„(M), the 
following theorem provides a method for computing the determinant of Ag . 

Theorem 3.3. Let A C Z" be a k- dimensional lattice and B one of its basis 
matrices. For all indices 1 < ii < . . . < ife < n, denote by Bi-^^,,,^i^ the k x k 
submatrix of B formed by columns ii, . . . ,ik. For nonzero reals Si, . . . , Sn, define 
S — diag(S'i, . . . , Sn)- Then 



detAj = \Si ■ ■ ■ Sn\ ■ 

l<ii<...<ij^-<n 

where il is the greatest common divisor of all k x k minors of B. 

Proof. The index of A in A is invariant under scaling by the matrix S~^, i.e., 
[A5-1 : A5-1] = [A ; A]. Therefore, it follows from Lemma [01 and Lemma [32] that 

detA;^ = |det5| • det A5-1 = |S'i---S'„| ■ fl^'^ -detAs-i. 

The matrix P ~ BS^^ forms a basis matrix for A5-1 . For all indices 1 < ii < . . . < 
ik < n, let Pij^^...Ak denote the k x k submatrix of P formed by columns ii,. . . ,ik- 
Using the Cauchy-Binct formula (see p. 86]) to compute det PP*, shows that 



\ 



detP, 



Sii ■ ■ ■ Sii^ 



detAs-1- / det(P,„...,,j'. 

y l<ii<...<ifc<n 

The theorem then follows from the fact that Pi-^,...^i^ = Bi^^,,,,i^ ■d\a.g{Si^ , ■ ■ ■ , Si^ )~^, 
for all 1 < ii < . . . < jfc < n. □ 

3.1.2. Constructing a basis for the orthogonal lattice. Let A be a fc-dimensional 
lattice in Z" and B = (bij) one of its basis matrices. A basis for the orthogonal 
lattice A^ can be found by using either Algorithm 2.4.10 or Algorithm 2.7.2 in [S] 
to compute a basis for the integer kernel of the matrix B. The former algorithm is 
based on Hermite normal form computation (see [3 Section 2.4.2]) and the latter 
algorithm on the MLLL algorithm of Pohst [5^. In practice, the MLLL based 
algorithm is preferable since it is more likely to avoid large integer arithmetic (see 
[51 Section 2.4.3]). Similarly, one can use LLL HNF algorithm of Havas, Majewski 
and Matthews [9l Section 6]. If M — maxj \\ {bij, . . . , 6fe,j)||2) then the algorithm 
performs 0((n + A:)''^ log(nM)) operation on integers of size 0(nlog(nM)) [33j. The 
algorithm of Nguyen and Stern [251 Algorithm 5] directly computes an LLL-reduced 
basis for A^. Given an n x n diagonal matrix 5" with integer entries and nonzero 
determinant, the following modification of their algorithm produces an LLL-reduced 
basis for A^. 

Algorithm 3.4. 

Input: A basis matrix B = {bij)i<i<k,i<j<n for a lattice A C Z", where k < n. 
An n X n diagonal matrix S with integer entries and nonzero determinant. 
Output: An LLL-reduced basis for Ag. 
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(1) Select an integer X > 2^+'" *" ^' det A^-. 

(2) Let S — diag(S'i, . . . , Compute the n x (n + k) matrix 

fSi ... xh^i xb2,i ... xbk.A 

^2 ... X6i,2 Xb2,2 ... Xbk.2 

D = . . . 

VO ... 5„ X6i,„ Xb2,n ... Xbk,n) 

(3) Compute an LLL-reduced basis (a;i, . . . , a;„) for the lattice with basis ma- 
trix D. 

(4) Let TT^ denote the projection that maps any vector in M"+'^ to the vector 
in M" obtained from its first n consecutive entries. Return the basis X = 
(7r;(a;i), . . . , 7r^(a;„_fc)). 

Accordingly, a generalisation of [25l Theorem 4] holds: 

Theorem 3.5. Algorithm \3.4\ returns an LLL-reduced basis for Ajr. 

Proof. Let A be the lattice with basis matrix D. Given a vector y = (j/i, . . . ,yn) G 

yD = {yiSi, . . . ,ynSn,X{y,bi), . . .,X{y,bk)) . 
Therefore, y G A-'- if and only if (j/iS*!, . . . , ynSm 0, . . . , 0) G A. Consequently, if 
a; e A and ||a;||2 < X, then 7r;(a;) € Ag. 

The existence of an LLL-reduced basis for Ag gives rise to linearly independent 
vectors y^, . . . , y^-k G ^ such that 

,max ||yJ2<2 ^ detA^. 

Let (a?!, . . . , a;„) be the LLL-reduced basis for A computed in Step [3] of the algo- 
rithm. Then 

max llajillj < 2 2 max ||yj|2 < 2 2 + 4 detAg<Ar. 

l<i<n— l<z<n— 

Thus A" = (7r4^(a;i), . . . , n^{xn-k)) forms a basis for a sublattice of A;^. If X is not 
a basis of A^ C 7r^(A), then there exist integers Zn-k+l^ . . . , 2:„, not all zero, such 
that the last k consecutive entries of the vector X]J=ri-fc+i ■^j^i ^-""^ zero. That is, 
A^ contains n — k -\- 1 linearly independent vectors 

n 

■K^{xi),...,'K:^{Xn-k), ^ ZjT:^{Xj), 
j—n—k+l 

which is absurd. Hence, X forms a basis for A^. 

It remains to show that X is LLL-reduced. From the definition of an LLL-reduced 
basis, it follows that (a;i, . . . , a;„_fc) inherits the property of being LLL-reduced 
from {xi, . . . ,Xn)- If {x\, . . . ^x^_j.) is the Gram-Schmidt orthogonalisation of 
[xi, . . . , Xn^k)i then the last k consecutive entries of a;* must be 0, for 1 < z < n—k. 
Therefore, 

{xi,x*) = {■K<^{xi),TT^{x*)) and {x*,x*) = {tt ^{x*) , tt ^{x*)) , 

for I < i, j < n ^ k. Hence, the Gram-Schmidt orthogonalisation of X is equal to 
{tti{xI), . . . , 7r^(a;* Thus X inherits the property of being LLL-reduced from 

(a;i, . . . ,a;„_fc). □ 
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As noted by Nguyen and Stern, the bounds on LLL-reduced bases (Theorem l2.6|) 
are "quite pessimistic." Therefore, the fower bound on X occuring in Algorithm 
13.41 can be reduced in practice. By using the algorithm in Step [31 Algorithm 13.41 
takes time 0{n'^ {n + k)(n + log M) log M) , where M is an upper bound on the row 
vector norms of the matrix D from Step [2l 

3.2. Nonlinear polynomial generation in detail. To address the problem of 
constructing lattices with small determinants, the use of small geometric progres- 
sions modulo N was briefly introduced in Section[3l To make matters more concrete, 
the ideas introduced there are now discussed in detail. 

Nonlinear algorithms search for polynomials with coefficient vectors contained 
in the lattice orthogonal to linearly independent geometric progressions with ratio 
m modulo N: 

Cl = [Ci,0, ■ ■ ■ , Ci^d], C2 = [C2,0, ■ • ■ ,C2,d], ■ ■ ■ , Ck ^ [ckfi, ■ ■ • , Cfe,<j], I < k < d. 

Let L denote the /c-dimensional lattice with basis (ci,...,Cfe). Geometric pro- 
gressions that are also a rational GP must be avoided. Otherwise, any nonlinear 
polynomial with coefficient vector in will be reducible. In general, L"*" may not 
be a sublattice of Lm,d- However, C im,d whenever at least one GP q has 
nonzero terms and gcA{cifi, N) = 1. To obtained skewed polynomials, a skew pa- 
rameter s > is introduced and weig hts Si = s^-'^l'^ computed for < i < d. With 
S = diag(S'o, . . . , S'd), lattice reduction is then used to find an LLL-reduced basis 
(6i, . . . , brf_fc_|_i)5, with hi S L^, for the lattice L^. Finally, those polynomials 
with corresponding coefficient vectors h\ and ^2 are returned. 

In practice, the weights Si can be replaced by arbitrary positive real values. 
However, defining Si — s*^'*/^ ensures that the length of a vector (cqS'o, • ■ ■ , adSd) G 
Lg and the skewed 2-norm of the corresponding polynomial / = X]i=o 
related: 

Wfh^s ^ ^ ^ ■ ll(ao'5'o, • • .,adSd)\\2 ■ 

Therefore, if the vectors bi and 62 correspond to degree d polynomials /i, /2 G '^[x] 
with nonzero resultant, then Corollary 12.31 and Theorem 12.61 imply that 

(3.1) Ni < • II/2II2,. < 2-^-^- • ^d-k+i ■ det(L^)™. 

Consequently, when aiming to produce two polynomials of equal degree c? > 2, the 
determinant of Lg is of optimal size whenever detLg — 0(Ar('^~'=+i)/2'='). 

The determinant of Lg can be computed exactly using Theorem 13.31 However, 
this approach does not provide a clear intuition as to the relationship between the 
size of detLg and the size of the geometric progressions Ci, . . . , c^. For s > and 
(xo,- ■ ■,Xn) e M"+\ define 



[xo,.. 



\2,s 



71 







Then a more illustrative relationship between the size of det Lg and the size of the 
geometric progressions is given by the following theorem. 

Theorem 3.6. For linearly independent geometric progressions 

Cl = [Clfi, . . . ,Ci,d], C2 = [C2,0, • • • , C2,d], ■ ■ ■ ,Ck = [ckfi, ■ ■ ■ ,Ck,d], I < k < d, 
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with ratio m modulo N and gcd(ci,o, -/V) — 1; l^-t L denote the lattice with basis 
(ci, . . . , Cfe). Then Lg is {d — k + 1)- dimensional and 

detL^ < ^^i-3-||ci|j2_^_i---||cfe||2_^_i. 

Proof. Observe that c, - {c^^qC^},)ci = (mod N), for 2 < i < k. Thus N''-'^ 
divides each k x k minor of the basis matrix {cij) for L. Hence, Lemma 13.11 and 
Lemma 13.21 implv that Lg is a (d — fc + l)-dimensional lattice and 

det is < (5o • • • Sd) ■ j^j^ ■ det Lg-i ■ det Lg-i. 

The proof is completed by using Hadamard's inequality (see [JU Section 1.3]) to 
bound detLs-i- ^ 



Theorem 13 .61 provides a simple criterion for selecting geometric progressions: for 
a given skew s > 0, the best geometric progressions Ci, . . . , are precisely those 
for which ||ci||2 ^-i are small. 

The construction of small geometric progressions is, by a large margin, the most 
difficult part of nonlinear polynomial generation. One approach to this problem, 
introduced by Montgomery [31] (30] and later extended by Koo, Jo and Kwon [T31 
Section 3], suggests constructing an initial GP c— [cq, . . . , c/_i] of length I, where 
d < I < 2d. Then I — d geometric progressions of length d + 1 are obtained by 
taking successive terms: 

Cl = [co, . . . , Cd], C2 = [Ci, . . . ,Cd+l], ■ . ■ ,Ci^d = [c/-d-i, • • ■ ,C;_l]. 

If the vectors Ci, . . . , ci^d do not form a basis for an (Z — d)-diniensional sublattice of 
Lm,d, then c is rejected. For s > 0, the product of the norms ||ci||2 ^.-i is bounded 
in terms of the initial GP: 

l-d l-d 

d-d 



nii'^''ii2,.--n^"^"''"'^-ii'^'ii2..-<ii'^ii 



i=l i=l 



To generate two degree d polynomials with optimal size. Theorem 13.61 and p.ip 
suggests that the initial geometric progression c should satisfy 

,, „ / (2d-l)(l-d)-(d-l) 

(3.2) ||c||2,,_, - O [N ^) 

For fixed d, the exponent of N in p. 21) is a strictly increasing function of I. There- 
fore, the weakest size requirements on c occur for I = 2d — \ (corresponding to 
Montgomery's algorithm). For this case, the orthogonal lattice is 2-dimensional, 
thus two linearly independent vectors of shortest length can be computed in polyno- 
mial time by using Lagrange's algorithm (often called Gauss' algorithm, see [l^ and 
references therein). For large A'^, the problem of efficiently constructing geometric 
progressions satisfying p.2p remains open for all parameters (d, I) ^ {(2, 3), (3, 5)}. 

Koo, Jo and Kwon observed that at least one degree d polynomial can be ob- 
tained for all 1/2 < d < I. Therefore, distinct degree polynomial pairs can be ob- 
tained by varying the parameter d. This approach allows for nonlinear algorithms 
to be applied to N of any size. 
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3.3. Existing Algorithms. In this section, existing nonlinear generation algo- 
rithms are briefly reviewed. A uniform analysis of the algorithms that appear in 
this section is provided in Section 2] and Section [SJ Therefore, attention is limited 
to each algorithm's methods of GP and basis construction. Examples are given for 
comparison between the algorithms. 

3.3.1. Montgomery's two quadratics algorithm. In Montgomery's two quadratics 
algorithm (see [81 Section 5] and [211 Section 2.3.1]), geometric progressions of 
length d-l- 1 = 3 are constructed by first selecting an integer p > 2 (usually chosen to 
be prime) such that gcd(p, N) — 1 and N is quadratic residue modulo p. Then one of 
the two possible values of m e Z satisfying mP = N (mod p) and |m — N^/^\ < p/2 
is chosen. Finally, the GP is taken to be [cq, c\ , C2] = [p, to, (to^ — N) /p] , with ratio 
mp~^ modulo N. For any integer t = cic{ (mod cq), the matrix 

/ Cl -Co \ 

forms a basis matrix for the orthogonal lattice of [co, ci, C2]Z. 

For a given skew s > 0, choosing p = 0{s~^y/N) guarantees that (|3.2[) holds. As 
a result, Montgomery's algorithm is capable of producing polynomials with optimal 
coefficient size. However, the restriction to quadratic polynomials means that the 
algorithm is not suitable for iV containing more than 110-120 digits [24l Section 
2.3.1]. Examples of polynomials generated using Montgomery's two quadratics 
algorithm can be found in [8l Section 10]. 

3.3.2. The Williams and Prest-Zimmermann algorithms. Williams |34[ Chapter 
4] introduced another length 3 GP construction for producing pairs of quadratic 
polynomials. Roughly speaking, the new geometric progressions are obtained by 
setting p = 1 in Montgomery's construction. Williams also provided a length 4 
GP construction for producing pairs of cubic polynomials. In both of Williams' 
algorithms, the skew parameter is restricted to s = 1. Prest and Zimmermann 
[30] extended Williams' algorithms to include skews s 7^ 1 leading to a reduction 
in coefficient norms for the cubic algorithm. In addition, they generalised their 
algorithm to arbitrary degrees. 

In the algorithms of Williams and Prest-Zimmermann, geometric progressions 
of length d + 1 are constructed by first selecting an integer m with \m'^ — N\ — 
C)(7Vi-i/d). Then the GP is taken to be 

[co,...,Cd] = [l,TO,...,TO'*-\m''-iV], 

with ratio m modulo N . The matrix 

/ -Cl 1 ... \ 

-C2 1 ... 

\-Cd ... 1 ) 

forms a basis matrix for the orthogonal lattice of [cq, . . . , Cd]Z. 

Examples of polynomials found with the Williams and Prest-Zimmermann algo- 
rithms are found in [34( Chapter 5] and [30j . For comparison between the algorithms 
of this section, the following example is considered throughout. 
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Example 3.7. Let 

N = c91 =4567176039894108704358752160655628192034927306 
969828397739074346628988327155475222843793393. 

With m = \N^/^] = 1659138281147271980794587079218, Williams ^ Chapter 5] 
obtained the cubic polynomials: 

/i = 8962732699933084116x3- 20270774434332188756x2 

- 9743458171161776159a; + 98228473793261830482, 

/2 = 62526200906654277101x3 - 141413847455697130658x2 

- 161279695637696264892X- 88601408057407884491. 

The product of coefficient norms II/1II2 ' II/2II2 is approximately A^°-^''^. The product 
Il/i|l2,s • II/2II2,. is minimised for s^pt « 1.763 with ||/i||2,,„^, • Il/2|l2.„,, « N^'^''- 

Applying Prest and Zimmermann's algorithm with m = [A'^^/^'j m-^f^ g = j^g*, 
the following pair of cubic polynomials is obtained: 

31 = 10363104x3 - 23437957x2 - 21147168576512214234486x 

- 109084939899748327411476171840, 

02 = 4776851x3 - 10803677x2 + 150352771504116048021555x 

- 100087822514431510434061442231. 

The product of coefficient norms \\gi\\2 iqs ■ II52II2 lo^ approximately nOA22_ rpj^g 
product ||5i|l2,s'll52|l2,s is minimised for Sopt ~ 45278023 with ||5i|l2.s„pt-||52|l2,s„pt ~ 
^0.419 Consequently, the polynomials gi and 52 have an optimised product of 
coefficient norms that is approximately 147 times smaller than that of /i and f2- 

3.3.3. The Koo-Jo-Kwon algorithms. Koo, Jo and Kwon jl31 Section 4.1] gener- 
alised Montgomery's CP construction to arbitrary degrees. They construct geomet- 
ric progressions of length d -f- 1 by first selecting positive integers p — 0{{kNy/''-) 
and k ~ 0{1) such that x*^ = kN (mod p) has a nonzero solution. An integer m 
satisfying m'^ = kN (mod p) and \m — \/kN\ < p/2 is chosen. Then the CP is 
taken to be 

i'^ - kNl 



[co,...,Cd] 



p'^-\p'^-^m,...,m'^- 



P 

with ratio rap~^ modulo N . This construction is seen to reduce to Montgomery's 
construction for parameters c? = 2, fc = 1; and the constructions of Williams and 
Prest-Zimmerman for p ^ k ~ \. 

The Koo-Jo-Kwon and Prest-Zimmermann algorithms each produce polynomi- 
als which satisfy the same theoretical bounds on coefficient norms (see Section [41]) . 
However, for any given A^, the additional parameters p and k allow for a wealth 
of new geometric progressions to be constructed. As a result, polynomials with 
significantly smaller coefficients may be found in practice. 

Example 3.8. Let A^ = c91. Applying the Koo-Jo-Kwon algorithm with s = 
10®, fc = 1, p = 776112641898 and m = \N'^/^] + 5, the following pair of cubic 
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polynomials is obtained: 

hi = 1249322;^ - 276x^ + 590020231905564605626a: 

+ 79893857071973416869543365671, 
/i2 = 156165a;^ - 345a;^ + 737525290075983917507a; 

- 314917248946851224111717562717. 

The product of coefficient norms ||/ii|l2io8 ' II^2||2 io« approximately ]\[0-3S3^ 
The product ||/ii||2s ' Il^2|l2s is minimised for Sopt ~ 106759349 with ||/ii||2s^pt ' 
Il'''2|l2s t ^ N'^-^^^, Consequently, the polynomials hi and /i2 have an optimised 
product of coefficient norms that is approximately 1770 times smaller than that of 
gi and g2 from Example 13.71 



By extending their length d+1 GP construction, Koo, Jo and Kwon [ini Section 
4.2] obtained a construction for length d + 2 geometric progressions. The construc- 
tion begins by selecting positive integers p = Q{{kNy^'^) and k — 0(1) such that 
x"^ = kN (mod p^) has a nonzero solution to = 8(p). Then the GP is taken to be 



[Co, . . . ,c<j+ij = 



1 . , ^ , m'^ -kN mim'^ - kN) 
/ 1,/ ^m,...,TO'' 1, ^ 



p p 

with ratio rap^^ modulo N . Koo, Jo and Kwon do not analyse their algorithm 
for skews s ^ 1. This analysis is undertaken in Section [5l where it is shown that 
the algorithm improves upon previous algorithms for d > 3 with polynomials of 
optimal size produced when d = 3. However, this improvement is offset in part by 
the additional complexity of determining suitable parameters to, p and k. 

4. Length d+1 construction revisited 



Each of the length d+l GP constructions discussed in Section [373l led to geometric 
progressions [cq, . . . , c^] for which [cq, . . . , Cd-i] forms a rational GP. The following 
theorem determines all such geometric progressions that, in addition, satisfy the 
properties necessary for polynomial generation. 

Theorem 4.1. Let [cq, . . . , c^] be a GP modulo N with d > 2 and nonzero terms. 
Suppose that the following properties are satisfied: 

(1) gcd(co,iV) - 1; 

(2) [co, . . . , Cd-i] is a rational GP; 

(3) [cq, . . . , Cd-i, Cd] is not a rational GP. 

Then there exist nonzero integers a p, m and k with gcA{m,p) — 1 such that 

d~l d-2 d~l ~ 

ap ,ap m,...,am , 



(4.1) [co,...,Cd] 

L P 

Proof. Let [cq, . . . ,Cd] satisfy the conditions of the theorem. The second property 
implies the existence of nonzero integers a p and m with gcd(TO,p) — 1 such that 
Ci ~ ap'^~^~^m^, for < i < d — 1. Consequently, gcd(ap, A^) = 1 as a result of the 
first property. If cid/2\c\d/2'] — coCd = 0, then [co, . . . ,Cd] is a rational GP violating 
the third property. Therefore, there exists a nonzero integer I such that 

IN = CYdl2\c\dl2^ - CQCd = ap"^^"^ {am'^ - pcd) ■ 

Hence, am'^ ~ pcd = kN for some nonzero fc G Z. □ 
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Given an arbitrary GP [cq, . . . , ci-i] with nonzero terms and length / > 3, [co, ci] 
forms a rational GP with ratio Cic^^. The following corollary is therefore a direct 
consequence of Theorem 14.11 

Corollary 4.2. Let [cq, . . . , c/_i] is a GP modulo N with I > 3 and nonzero terms. 
Suppose that the following properties are satisfied: 



(2) [cq, . . . , C/_i] is not a rational GP. 
If 2 < d < I is the largest index such that [cq, . . . ,Cd-i] forms a rational GP, then 
there exist nonzero integers a p, m and k with gcd{m,p) = 1 such that [cq, . . . , Cd] 
is given by ()4.ip . 

As a consequence of Theorem 14.11 the following nonlinear generation algorithm 
is obtained: 

Algorithm 4.3. 

Input: An integer d> 2. Positive integers a, p, m and k such that gcd(ap, N) — 1, 
gcd(m,p) = 1; and (am'^ — kN)/p is a nonzero integer. A positive integer s. 
Output: A pair of integer polynomials fi and /2 with common root mp"^ modulo 



(1) Compute Ci — ap"^ * ^m*, for < i < d — 1; and Cd — {am'^ — kN)/p. 

(2) Compute weights S, ^ s'-*^/^, for < i < d. 

(3) Let L = [co,...,Cd]Z and S — diag(S'o, . . . , S'd). Use Algorithm 13.41 to 
compute an LLL-reduced basis (bi, . . . , bd)s for the lattice Lg (see Remark 
SH below). 

(4) For i — 1,2, write bi — (a^.o, . • . , flj.d) and return the polynomial fi = 

The length d + 1 GP construction in Step [T] of Algorithm 14.31 reduces to the 
construction of Montgomery's two quadratics algorithm for parameters d = 2, a = 
k — 1; the constructions of the Williams and Prest-Zimmerman algorithms for 
a — p — k — 1; and the construction of the Koo- Jo-Kwon algorithm for a = 1. In 
the next section, parameter selection for Algorithm 14.31 is considered. 

Remark 4.4. In StepOof Algorithm l4.31 a reduced basis for Lg can be found by first 
computing an LLL-reduced basis for Lg,, where S' = diag(l, s, . . . , s''). Given a 
reduced basis (bi, . . . , bd)s' for Lg,, the definition of LLL-reduced bases (Definition 
12. 5p then implies that {s^^bi, . . . , s^^bd)s' is also reduced. The later is equal to 
{bi, . . . ,bd)s, a basis for Lg. The restriction by the algorithm to s G Z ensures 
that a reduced basis for Lg, can be found by using Algorithm 13.41 

4.1. Parameter selection for Algorithm 14.31 Throughout this section, nota- 
tion from Algorithm 14.31 is retained. In addition, let c = [cq, . . . , c^]. Then the 
polynomials /i and /2 satisfy 



In Section [l] it was noted that root properties play a key role in determining the 
yield of number field sieve polynomials. Polynomial roots are divided into two 
classes: projective and non-pro jective (see |M1 Section 3.2] for a definition). When 
a — I, Koo, Jo and Kwon [131 Remark 5] noted that choosing k to contain a 



(1) gcd(co,^) = l; 



N. 



(4.2) 




for i 



1,2. 
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product of small primes improves the non-pro jective root properties of /i and /2. 
More generally, (|4.2|) shows that selecting a and k to contain small prime factors 
can be used to aid both projective and non-pro jective root properties. However, the 
parameters a and k should be chosen small as a/ gcd(a, k) divides a^^rf, for i = 1, 2; 
and kN/ gcd(a, k) divides Res(/i, /2). 

For fc = 1, the parameter spaces of Algorithm 14. 31 and Kleinjung's algorithm [11] 
coincide. The methods discussed by Kleinjung for efficiently generating parameters 
can be carried over to this setting and are readily extended to include fc ^ 1. The 
reader is also referred to [131 Section 4.1] for a discussion of parameter selection 
when a — \. Therefore, the problem of generating parameters will not be dis- 
cussed here. Instead, it is shown that under an appropriate choice of parameters. 
Algorithm 14.31 can be used to obtain degree d polynomials /i, /2 G 1j[x\ with 

(4.3) = O (^N^.^/d)(d--2d+2)/(d--d+2)^^ ^ f^^. ^ ^ ^^2. 

This yields polynomials of size 0{N^/^), for d = 2; 0(iV5/24), f^^. ^ ^ 3. and 
0{N^I'^^)^ for d = 4. The exponent for d = 2 is optimal as a result of Corollary 
12.31 The bound (14. 3p is obtained without any assumptions on the size of vectors in 
LLL- reduced bases. This is in contrast to the previous analyses of [30l IT3] . 
Applying Theorem 13.61 the determinant of Lg satisfies 



detLj<iSo---S,)-J^ + ... + ^-y-^ -2. 




For < i < d - 1, 

d—i~l i ——i d—1 ± I ^ 

— — ap m — ap I — 

Si \ps 

Let TO — \J~^ and assume m> fh. Then 

Cd am'^ — kN _d a, j ^^ _d d(m—Tn) j_ 

— = s ^^-im -m )s < — -ap „ , 

bd p p ps \ps 

Therefore, for parameters p and s satisfying ^/d (to — to) < ps < m, 
(4.4) detLj < VMas^^im'^-'^. 

To minimise the determinant of Lg, it follows that the skew parameter s should 
be chosen as large as possible and m ^ ifi. However, the size of s is limited by the 
requirement that two degree d polynomials are found. 

For a nonzero polynomial / with coefficient vector x £ and degree less 
than d, (|4.2p implies that f{mp^^) — 0. Thus / must contain a monomial with 
nonzero coefficient divisible by to. Accordingly, the coefficient vector x satisfies 
11*112 s s^'^/'^m. Therefore, if the basis vectors 61 and ^2 in the reduced basis 
for Lg both satisfy ||6i||2 ^ < s~''^^m, then /i and /2 each have degree equal to d. 
Below it is shown that selecting s so that ||bi||2 ^ < s^'^l'^m holds is sufficient to 
guarantee that two degree d polynomial satisfying (|4.3p can be found. 

Theorem 12.61 and (|4.4p imply that ||bi||2 ^ < s~'^l'^ra whenever 



!^ {frdas^---m^-y <s- 
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Rearranging for s gives the bound 

2 

Recah that s should be chosen as large as possible and m « m in order to minimise 
the determinant of Lg. Therefore, parameters should be chosen to satisfy 



m > 



kN 
a 



1 / m 
V2 \Vda 



\fd (m — m) < ps < m, 



with TO = Q(jh). For such parameters, /i is of degree d with fi{mp ^) ^ 0, and 
substituting into the bound ||bi||2 s — s^'^^^iti shows that 



(4.5) II/1II2 s = O ya" ''^-''+2 . fed . Nd 

Setting a = 0{1) and k — 0{1) leads to /i satisfying the bound in (|4.3p . 

Repeating the analysis for m < rh once again leads to parameters for which 
is obtained. In both cases, the parameters satisfy 
(4.6) 



TO = 0|^|^ J j, 5 = 6 ^ ^ j j, \/d\m — rh\ < ps < m. 

For parameters satisfying (I4.6p . the condition \\bi\\^ ^ < s^'^^^m is now used to 
show that 62 satisfies 11^2112 s ~ 0{s^'^^'^m). Therefore, if the degree of /2 is equal 
to d, then (|4.3p holds. Otherwise, ()4.3p is satisfied by the degree d polynomials /i 
and /i + /2. 

Assume (|4.6p holds and ||bi||2 ^ < s^'^^^m. Then the vector b ~ {—m,p, 0, . . . , 0) 
in satisfies 



II6II23, = Y(s 5to)2 + (s1 ip)'^<V2s 

Moreover, the vectors bi,b £ are linearly independent since deg/i = d. Hence, 
A2(L;^) = 0{s-'^/'^m) and Theorem HH implies that ||b2||2,^ = Ois-'^/'^m). 

Remark 4.5. The above arguments show that a degree d polynomial 

fji ,32 j3 (x) = ji ■ fi (x) + 32 ■ h{x)+ j3 • {px - to) , ji , j2 , ^3 e ^, 

will satisfy j2,i3 II2 s ^ 0(s^'*/^to) whenever — 0(1), fori = 1,2,3. Therefore, 
it is possible to obtain multiple pairs of degree d polynomials that satisfy (|4.3I) . 
Moreover, a sieve-like procedure such as that described in [24j Procedure 5.1.6] 
may be used to identify /ji j2 j3 with good root properties. 

5. The Koo-Jo-Kwon length d + 2 construction revisited 

By utilising their length d + 2 GP construction, Koo, Jo and Kwon obtained an 
algorithm for producing nonlinear polynomials of degree at most d such that the 
coefficient of x'^~^ in each polynomial is equal to zero [T31 Corollary 4]. Number 
field sieve polynomials with second highest coefficient equal to zero had previously 
been considered for linear algorithms by Kleinjung [10] . There the motivation was 
to produce polynomials with large skew in order to leverage practical advantages. 
In this section, it is shown that larger skews, when compared to those in Section 
14.11 are able to be used in the Koo-Jo-Kwon algorithm. As a result, nonlinear 
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polynomial pairs with smaller coefficient norms are obtained. To begin this section, 
minor improvements to the Koo-Jo-Kwon algorithm are now given. 

It follows immediately from Corollary 14.21 that the length d + 2 GP construction 
of Koo, Jo and Kwon [13. Section 4.2] can be extended: if a, p, fc, and m are positive 
integers that satisfy gcd(ap, A^) — 1, gcd(m,|7) = 1 and am'^ = kN (mod p^), then 



(5.1) [co, . . . ,Crf+i] 



d-i d-2 d-i am'^-kN m{am'^-kN) 
ap ,ap TO, ... , am , , 



is a GP with ratio mp~^ modulo N. The Koo-Jo-Kwon construction then corre- 
sponds to the special case a = 1. Given a GP defined by (|5.1I) . the proof of [T31 
Corollary 4] is readily modified to show that an integer polynomial / = X]f=o 
with coefficient vector orthogonal to both [cq, . . . , q] and [ci, . . . , Cd+i] must have 
arf_i = 0. A stronger statement is given by the following lemma. 

Lemma 5.1. Let a, p, m, k and N be nonzero integers and [cq, . . . , Cd+i] he de- 
fined by (|5.ip . For any vector {ao, . . . ,ad) S Z'^+^j the following conditions are 
equivalent: 

(1) (ao, . . . ,ad) is orthogonal to [cq,. .. ,Cd] and [ci, . . . ,Cd+i]- 

(2) fld-i = and (ao, . . . , Od) is orthogonal to (ci, . . . , Cd-i, 0, Cd+i)- 

Proof. By construction, 

[co, . . . ,Cd] -pTO"^[ci, . . ■,Cd+i] [0, . . . ,0, m"^fciV,0]. 

Hence, (ao, . . . , ad) G is orthogonal to [co, ■ ■ ■ ,Cd] and [ci, . . . , Cd+i] if and 

only if ad-i = and (ao, . . . ,ad) is orthogonal to the linearly dependent vectors 
(co, . . . , Cd-2, 0, Cd) and (ci, . . . , Cd^i, 0, c^+i). □ 

Lemma |5 . 1 1 permits a somewhat smaller lattice to be used in the Koo-Jo-Kwon 
algorithm, thus offering a minor practical advantage. The improved algorithm can 
be described as follows: 

Algorithm 5.2. 

Input: An integer d > 3. Nonzero integers a, p, k and m such that gcd(ap, N) — 1, 
gcd(TO,p) = 1; and (am'^ — kN)/p'^ is a nonzero integer. A positive integer s. 
Output: A pair of integer polynomials /i and /2 with common root mp^^ modulo 
N. 

(1) Compute a — ap'^^^^'^m\ for < i < d — 2; and Cd-i — {am'^ — kN)/p'^; 

(2) Compute weights 5,; = s'-'^^^, for < i < d - 2; and Sd-i = s'^l'^. 

(3) Let L — (co, . . . , Cd-i)^ and S — diag(S'o, . . . , Sd-\)- Use Algorithm 13.41 to 
compute an LLL- reduced basis (bi, . . . , hd-\)s for the lattice L^. 

(4) For i — 1,2, write hi = (a^.o, • • ■ , ai,!i-2, fli^^) and return the polynomial 



fi = ai^dx'^ + I],=o 



In the next section, parameter selection for Algorithm 15.21 is considered. 

In Section 13. 2[ it was noted that a length / geometric progressions can be used 
to generate degree d polynomials for all Z/2 < d < L Given a geometric progression 
c = [cq, . . . , Cd+i] defined by (|5.ip . it is therefore possible to generate polynomials of 
degrees d and c?-t- 1, for d > 2. Generating polynomials of degree less than d should 
not be considered as [cq, . . . , Cd_i] forms a rational GP. A degree d + 1 polynomial 
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/ ~ J2i=o ^i^^ ^^th coefficient vector orthogonal to c will satisfy 
/ ( — ) • = — (ad+im + adp) . 



Hence, following the approach of Section 14.11 and choosing parameters so that 
/{mp'-^) 7^ is not sufficient to guarantee that / has degree equal to d + 1. Pa- 
rameter selection is therefore more difficult and will not be addressed here. 

5.1. Parameter selection for Algorithm 15.21 Throughout this section, nota- 
tion from Algorithm 15.21 is retained. In addition, let c = [cq, . . . ,Cd\- Then the 
polynomials /i and /2 satisfy 

/i — • p - — (bi, c) H ■ — N = N, for i = 1, 2. 

\p J a a a 

Therefore, similar to Section 14. H the parameters a and k can be utilised to aid 
the root properties of /i and /2. Generating parameters for Algorithm 15.21 is sig- 
nificantly more difficult than for Algorithm 14.31 This problem has, in effect, been 
considered by Kleinjung [T^ and Koo-Jo-Kwon [T31 Section 4.2]. Therefore, the 
problem will not be discussed here. Instead, the problem of selecting parameters 
that minimise the coefficient norms of /i and /2 is now considered. 
Theorem 13.31 implies that 



detLj<iSo---Sd-i)-M + --- + ^ = ^'-^-Ji + --- + ^' 

V "^0 "^d-l V cl-l 



By following the analysis of Section 14. 1[ the parameter space of Algorithm 
be restricted in such a way as to guarantee the degree of /i is equal to d and 

II/1II2 s = f a<'(''^"3''+'i) • p d^-3d+i ■ kd ■ j . 

The restricted parameters then satisfy 

^ = e ( f!!!!)'" 1 s = ei(^]^^'], Vd\m-rh\<ps< 




a/ 

Clearly, the parameter p should be chosen as large as possible. By enforcing p = 
e(m/s), 

/ 2(2d-3) d^-id+e, d^-id+6 

II/1II2 = O I a''(''^^^''+'>) • k d(.d-'-3d+e) . J\l did-'-Sd+e) 

where s = e((fciV/a''+i)(2/'')/('^'-3'i+6))_ Similar to SectionlHIl if the degree of /z is 
not equal to d, then a second degree d polynomial can be found by considering linear 
combinations of the polynomials /i, /2 and px — m. Finally, by setting a — 0(1) 
and k ~ 0(1), it follows that Algorithm 15 . 2 1 can be used to obtain a pair of degree 
d polynomials with 



|/,||2 ^ O ^N('^/'l)(d''-4d+6)/{d''-3d+6)'^ 



for i = 1,2. 



This yields polynomials of size 0{N^/^), for d = 3; and 0{N^^^°), for d = 4. The 
exponent for d = 3 is optimal as a result of Corollarv l2.3l 
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